In Cyber Threat Intelligence, the collection and analysis of Indicators of Compromise (IOCs) is critical because they provide valuable information that can help organisations detect and respond to cyber threats more effectively.

IOCs are pieces of evidence or artefacts that indicate the presence of a threat, such as a virus, malware or malicious activity, within a system or network. Examples of IOCs include IP addresses, domain names, file hashes, URLs and email addresses. By collecting and analysing these IOCs, CTI analysts can identify patterns, trends and characteristics of cyber threats, which can help in the development of defensive measures.

Harvesting IOCs involves collecting data from a variety of sources, such as threat intelligence feeds, open source intelligence, and malware repositories. Once collected, these IOCs are analysed to determine their relevance, the severity of the threat, and the potential impact on the organisation’s systems and networks.

In the following list, I have compiled some useful tools for harvesting and analysing IOCs, ranging from open source tools to commercial solutions.

AbuseHelper

An open-source framework for receiving and redistributing abuse feeds and threat intel.

AlienVault Open Threat Exchange

Share and collaborate in developing Threat Intelligence.

Combine

Tool to gather Threat Intelligence indicators from publicly available sources.

Fileintel

Pull intelligence per file hash. The output is in CSV format and sent to STDOUT so the data can be saved or piped into another program.

Hostintel

Pull intelligence per host. Like Fileintel, the output is in CSV format and sent to STDOUT so the data can be saved or piped into another program.

IntelMQ

Logo_Intel_MQ.svg

A tool for CERTs for processing incident data using a message queue.IntelMQ can be used for - automated incident handling - situational awareness - automated notifications - as data collector for other tools - etc.

IOC Editor

A free editor from Fireeyefor XML IOC files, that allows:

  • Manipulation of the logical structures that define the IOC

  • Application of meta-information to IOCs, including detailed descriptions or arbitrary labels

  • Conversion of IOCs into XPath filters

  • Management of lists of “terms” used within IOCs

iocextract

Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool: extracts URLs, IP addresses, MD5/SHA hashes, email addresses, and YARA rules from text corpora. It includes some encoded and “defanged” IOCs in the output, and optionally decodes/refangs them.

ioc_writer

Python library for working with OpenIOC objects, from Mandiant.

MalPipe

Malware/IOC ingestion and processing engine, that enriches collected data.

At this time, the following feeds are supported:

MISP

misp-logo.png

Malware Information Sharing Platform curated by The MISP Project. The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of said information by Network Intrusion Detection Systems (NIDS), LIDS but also log analysis tools, SIEMs.

Pulsedive

Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.

Microsoft Defender Threat Intelligence

Formerly RiskIQ: research, connect, tag and share IPs and domains.

threataggregator

Aggregates security threats from a number of sources, and outputs to Syslog CEF, Snort Signatures, Iptables rules, hosts.deny, etc.

ThreatIngestor

threatingest

Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.

ThreatTracker

A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.

TIQ-test

Data visualization and statistical analysis of Threat Intelligence feeds.